Skip to content

Auto-renew Letsencrypt

Auto-renew Letsencrypt is almost mandatory after setting up the letsencrypt with nginx, I am using the default location of the certifications. /usr/local/etc/letsencrypt/live
Letsencrypt certificates can be used for other things than just a webserver. I use it for my mail server also, and my owncloud instance.
Every server is in its own jail on my FreeBSD server. And I plan to just make the script copy every certificate to all my jails.

Letsencrypt certificates has only a 3 month life-time. Which is okey when not paying a dime for it. At first I thought, well I can manually manage that. But now that my number of servers has grown that I have to manage, I really need the renewal to be automated.

I looked at the internet to see if anyone had done the work before, but I did not find anything that meet my demand, only close. So I took that and rewrote it for my needs. I like to share that for others, either to use it as it is, or to have it for inspiration for their own use-case. The “Auto-renew Letsencrypt” script can be found at my github page: https://github.com/kulmosen

Disclaimer: Use the code as is. This solved my use-case, but yours might vary.

Auto-renew Letsencrypt script

#!/bin/sh

# Copyright (c) 2015 Marie Helene Kvello-Aune (marieheleneka at gmail dot com; http://savagedlight.me)
# Copyright (c) 2016 Dennis Juhler Aagaard (dennis at kulmosen dot dk; http://kulmosen.dk)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#

# This script will check if the specified certificate will
# expire in 14d or less and if so, instruct let's encrypt to renew it.
# It will also reload the configured webserver if certificate is renewed.

#
# Start of configuration
#

# Change to reflect your correct email addresses.
TOEMAIL="email@domain.com"
FROMEMAIL="root@FQDN"

# Location of certificates. If other than default please change path.
DIR="/usr/local/etc/letsencrypt/live"

# Probably don't need to edit below here
LETSENCRYPTSERVER='https://acme-v01.api.letsencrypt.org/directory'
OPENSSL="/usr/bin/openssl"
LETSENCRYPT="/usr/local/bin/letsencrypt"

# Manage the nginx service to free up port 80.
STARTWEBSERVER="/usr/sbin/service nginx start"
STOPWEBSERVER="/usr/sbin/service nginx stop"
STATUSWEBSERVER="/usr/sbin/service nginx status"
#
# End of configuration.
#
#
# !!! DO NOT EDIT BELOW HERE !!!
#

cd $DIR
# My Letsencrypt tend to put a log file in here. Clear that log file before running the script
if [ -f "$DIR"/letsencrypt.log ]
then
rm -f "$DIR"/letsencrypt.log
fi
# Read the list of all domains in $DIR
for domain in *
do
if $OPENSSL x509 -checkend 1209600 -noout -in "$DIR"/"$domain"/fullchain.pem
then
SUBJECT=""$domain" certificate still valid!"
echo "The domain certificate for "$domain" is good for more than 14 days!" | mail -s "$SUBJECT" "$TOEMAIL" -r "$FROMEMAIL"
exit
else
if $STATUSWEBSERVER
then
$STOPWEBSERVER
fi

$LETSENCRYPT certonly --renew --server $LETSENCRYPTSERVER -d $domain
echo "Certificate is renewed. Retesting"
if $OPENSSL x509 -checkend 1209600 -noout -in "$DIR"/"$domain"/fullchain.pem
then
SUBJECT=""$domain" certificate renewed!"
echo "Certificate for "$domain" has been renewed and will be valid for the next 3 months." | mail -s "$SUBJECT" "$TOEMAIL" -r "$FROMEMAIL"
else
SUBJECT=""$domain" certificate renewal failed!"
echo "Certificate failed to renew. Check logs to troubleshoot." | mail -s "$SUBJECT" "$TOEMAIL" -r "$FROMEMAIL"
fi
fi
done
# Starting webserver...
if $STATUSWEBSERVER > /dev/null
then
exit
else
$STARTWEBSERVER
fi
exit

Enjoy 🙂

Update: “fixed typo in the script. WordPress do not handle > and < particular well.”

Published inBSDScriptingServer Services

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *